All physicians and healthcare facilities highly value the security of their patients’ financial and health information, which has come to be called “Protected Health Information” (“PHI”). But sometimes, even with the best of intentions, security measures fail and patient data is breached. Since the risks of financial or reputational harm are high in the event of such a breach, physicians and other providers are required to notify the affected patients so they can take appropriate actions to decrease their chances of being victims of identity theft or other harm.
However, even though a provider may take all the necessary steps to notify the affected patients, that’s not the last of the story. The next chapter is a potential investigation by the Office for Civil Rights of the Department of Health and Human Services (“OCR”). OCR enforces the HIPAA Privacy and Security Rules, and may initiate an investigation upon being notified of the breach, or receiving a complaint from an affected patient.
OCR will usually notify the covered entity of the investigation and request relevant information, but if a “surprise” facility visit occurs, the covered entity should first verify the identity and authority of the investigators, including law enforcement personnel, contact legal counsel, and notify staff that an investigator is on the premises. With the assistance of legal counsel, a copy of any warrant, subpoena, or other authority of the investigators should be requested. In general, when OCR initiates an investigation it examines the following: (1) policies and procedures, (2) other documentation, (3) employee training information, (4) business associate agreements and contracts, and (5) internal risk analysis and management.
If an OCR investigation occurs, the provider should consider the following steps in preparation:
- Update HIPAA Policies and Procedures: After any HIPAA breach, the covered entity should re-evaluate internal policies and procedure to address the breach and implement more adequate HIPAA policies. Importantly, the covered entity should make written documentation of all steps taken in updating and implementing new HIPAA policies and procedures.
- Initiate an Internal Risk Assessment: In the case of any recent breach, it may be helpful to implement an internal HIPAA audit regarding the immediate areas of vulnerability inside the practice. All funds spent in implementing a new compliance plan should be documented.
- Institute New Workforce Training Procedures: The practice should implement a new employee training program and/or ensure that all current employees have received up-to-date HIPAA training. The covered entity should keep time records for training and training materials for all training programs. Most importantly, the covered entity should require all employees to execute a signed written compliance certification stating that they have read, understood, and shall abide by HIPAA policies and procedures.
- Review Physical Security of Facilities and Mobile Devices: During an investigation, OCR may review the physical security of a covered entity and the security of mobile devices used that contain e-PHI. If any recent breach involved physical safeguards, the covered entity should re-evaluate its current policies and consider whether they specify methods used to control physical access such as door locks, electronic access control systems, security officers, video monitoring, adequate signage, and access badges.
- Review Business Associate Agreements: All business associate agreements should be updated to reflect the covered entity’s updated HIPAA practices and should specifically allocate responsibility in the case of a breach, specifically including adequate indemnification provisions are in place to protect covered entities from improper actions undertaken by their business associates.
- Update Disclosure Log: Review and update the covered entity’s HIPAA Disclosure Log to reflect the recent breach as well as any other incidents not previously recorded.
- Update Notice of Privacy Practices: In light of the possible compliance review outlined above, a covered entity should also update its Notice of Privacy Practices for Protected Health Information.
- Update Breach Notification Procedures: In the case of a breach, the covered entity should maintain written documentation of all corrective action, why a particular corrective action was unnecessary, and all measures taken to mitigate the effects of the recent breach.
- Review Policy for Medical Record Requests: The covered entity’s HIPAA compliance review should include an assessment of the current policies and procedures for authenticating patient record requests and for releasing those medical records to the appropriate individuals.
- Evaluate Appropriate Monitors for User Access to Medical Records: The practice should review its policies and procedures to make sure they clearly identify employees, or classes of employees, who will have access to PHI, and ensure that those same policies and procedures address “access authorization, establishment, modification and termination.” A practice using an electronic health record system should also ensure that appropriate controls are in place so that only those individuals who have a “need to know” can access certain parts of patient’s medical record.
The above steps are a starting point for implementing a more robust HIPAA compliance program at any medical practice in preparation for a potential HIPAA investigation. Other various considerations, such as the PHI in e-mails, de-identifying PHI, and the use of encryption technologies throughout a Health IT system may merit further consideration with the help of a legal specialist. All effort a medical practice invests in creating a system for dealing with HIPAA breaches or investigations will pay off abundantly if and when either occurs.